fixup! Give Variable a Scope Refactoring

4 years ago · fafcb7151f
--- a/group_vars/all.yaml.example
+++ b/group_vars/all.yaml.example
@ -1,37 +1,48 @@
 ---
 # Put here the public ip for your organisation
 public_ip: 0.0.0.0
 # Put here the domain for your organisation
 domain: "example.com"
 # Put here an email address to receive Let's Encrypt communications.
 organization: 'ExampleOrg'
 letsencrypt_email: 'admin@example.com'

 # Put the TLS X.509 Subject Prefix (before OU=)
 x509_subject_prefix: '/C=IT/L=Firenze/O=Example'
 # Here the same in LDAP (and reversed) format
 x509_ldap_suffix: 'o=Example,l=Firenze,c=it'
 # Put the TLS X.509 Subject Prefix elements (before OU)
 x509_subj_prefix:
  C: 'IT'
  #ST: ''
  L: 'Firenze'
  O: '{{ organization }}'

 # Put here the public key of the user CAs.
 # The first one will be used also to check if host certificate are
 # updated.
 user_ca_keys:
  - "ssh-ed25519 AAAA(...) Active Production key"
 ssh_user_ca:
  - "ssh-ed25519 AAAA(...) SSH User CA - Active Production key"
  - "ssh-ed25519 AAAA(...) Older not-expired key"
 #  - "ssh-ed25519 AAAA(...) Revoked key"

 ssh_server_ca: "ssh-ed25519 AAAA(...) SSH Server CA - Active Production key"

 monitoring_host: 'status'

 # Do not change -> probably will soon be moved elsewhere
 openssl_x509_prefix: >-
  {% for k, v in x509_subj_prefix.items() %}/{{k}}={{v}}{% endfor %}

 # Put TLS Certificate of your Root Certification Authority
 tls_root_ca: |
  -----BEGIN CERTIFICATE-----
  #########################
  -----END CERTIFICATE-----
 # Put TLS Certificate for OpenVPN Server Intermediate CA
 tls_vpn_user_ca: |
 tls_intermediate_server_ca: |
  -----BEGIN CERTIFICATE-----
  #########################
  -----END CERTIFICATE-----
 # Put TLS Certificate for OpenVPN Users Intermediate CA
 tls_vpn_server_ca: |
 tls_intermediate_user_ca: |
  -----BEGIN CERTIFICATE-----
  ##########################
  -----END CERTIFICATE-----

 # Optionals customization
 #openvpn_tls_server_ca: '{{ tls_intermediate_server_ca }}'
 #openvpn_tls_user_ca: '{{ tls_intermediate_server_ca }}'
--- a/roles/openvpn/defaults/main.yaml
+++ b/roles/openvpn/defaults/main.yaml
@ -1,3 +1,5 @@
 ---
 server_fqdn: '{{ inventory_hostname }}.{{ domain }}'
 host_fqdn: '{{ inventory_hostname }}.dmz.{{ domain }}'
 openvpn_tls_server_ca: '{{ tls_intermediate_server_ca }}'
 openvpn_tls_user_ca: '{{ tls_intermediate_user_ca }}'
 ...
--- a/roles/openvpn/tasks/main.yaml
+++ b/roles/openvpn/tasks/main.yaml
@ -28,14 +28,14 @@

 - name: 'upload server ca'
  copy:
    content: '{{ tls_vpn_server_ca }}{{ tls_root_ca }}'
    content: '{{ openvpn_tls_server_ca }}{{ tls_root_ca }}'
    dest: '/etc/openvpn/server_ca.crt'
  tags:
    - 'tls_int'

 - name: 'upload user ca'
  copy:
    content: '{{ tls_vpn_user_ca }}{{ tls_root_ca }}'
    content: '{{ openvpn_tls_user_ca }}{{ tls_root_ca }}'
    dest: '/etc/openvpn/user_ca.crt'
  notify: 'reload openvpn'
  tags:
@ -56,7 +56,7 @@
  shell: >
    openssl req
    -new
    -subj "{{ x509_subject_prefix }}/OU=Server/CN={{ server_fqdn }}"
    -subj "{{ openssl_x509_prefix }}/OU=Server/CN={{ host_fqdn }}"
    -key /etc/openvpn/openvpn.key
    -out /etc/openvpn/openvpn.csr
  when: openvpn_cert_is_valid.rc != 0
@ -65,7 +65,7 @@

 - import_tasks: 'ca-signing-request.yaml'
  vars:
    host: '{{ server_fqdn }}'
    host: '{{ host_fqdn }}'
    request_path: '/etc/openvpn/openvpn.csr'
    output_path: '/etc/openvpn/openvpn.crt'
  when: openvpn_cert_is_valid.rc != 0
--- a/roles/ssh_server/templates/user_ca.pub.j2
+++ b/roles/ssh_server/templates/user_ca.pub.j2
@ -1,4 +1,4 @@
 {% for key in user_ca_keys %}
 {% for key in ssh_user_ca %}
 {{ key }}
 {% endfor %}